General

  • Target

    entropy.exe

  • Size

    14.2MB

  • Sample

    240801-mfa5zswbqj

  • MD5

    0e40b0eb1e7a6672ca2812ad78ee714b

  • SHA1

    51d13063ac9e6c7225fcbda4f13b68b051ca96e2

  • SHA256

    95e29851fb9d29ee21c48dc87bb669ec06d2a6db60922ec73043b8fd4630d035

  • SHA512

    450dcb23d2fc83ad36fe4bb71d195b964681ff61c737856d2d4f2910c0a356c3f1f70731c86cd0321d02c234b57ebbc6380bb6e50b2bb1f9982d682ad8902c88

  • SSDEEP

    196608:HWJafoL/tUoTX4ZVbh1Yf0k7Ma/rkFlgdTaUrPPbdfw:HWsfm/sbh1lkSFCdTauZo

Malware Config

Extracted

Family

skuld

C2

https://ptb.discord.com/api/webhooks/1267058261421719747/N7C5RP-wXgHeSDB4BWMs2Ko5UBBiIQ709xogOS8u0YASraLWDzWwh6t3glJbMvIoMV9U

Targets

    • Target

      entropy.exe

    • Size

      14.2MB

    • MD5

      0e40b0eb1e7a6672ca2812ad78ee714b

    • SHA1

      51d13063ac9e6c7225fcbda4f13b68b051ca96e2

    • SHA256

      95e29851fb9d29ee21c48dc87bb669ec06d2a6db60922ec73043b8fd4630d035

    • SHA512

      450dcb23d2fc83ad36fe4bb71d195b964681ff61c737856d2d4f2910c0a356c3f1f70731c86cd0321d02c234b57ebbc6380bb6e50b2bb1f9982d682ad8902c88

    • SSDEEP

      196608:HWJafoL/tUoTX4ZVbh1Yf0k7Ma/rkFlgdTaUrPPbdfw:HWsfm/sbh1lkSFCdTauZo

    • Skuld stealer

      An info stealer written in Go lang.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

MITRE ATT&CK Enterprise v15

Tasks